An online marketplace for trafficking in hacked data was seized this week following a global investigation that resulted in the takedown of the RaidForums website. The alleged chief administrator has been charged with conspiracy, access device fraud and aggravated identity theft. The founder of the site, Diogo Santos Coelho, a Portuguese national, was arrested earlier this year and remains in custody in the United Kingdom pending the conclusion of extradition proceedings initiated by the United States. The popular English-language emporium reputedly sold access to more than ten billion consumer records stolen in some of the world’s largest data heists.

1. Introduction

On April 12, 2022, the United States Department of Justice unsealed court records disclosing that a judicial authorization was recently obtained to seize three domains that hosted RaidForums, “raidforums.com”, “Rf.ws” and “Raid.lol”. According to the extradition affidavit of U.S. Attorney, Carina A. Cuellar, RaidForums functioned as an online marketplace for stolen databases containing sensitive personal and financial information including stolen bank routing and account numbers, credit card information, login credentials and social security numbers. (here) The seizure notice appearing on the RaidForums’ website states that the law enforcement action was taken parallel with Europol’s Joint Cybercrime Action Task Force, the United Kingdom’s National Crime Agency, the Swedish Police Authority, the Romanian National Police and the Internal Revenue Service. (here) Europol lauded the takedown saying the online marketplace was seized in a coordinated investigation called Operation Tourniquet. (here)

2. Background

According to investigative journalist, Brian Krebs, RaidForums emerged from humble beginnings primarily involved in electronic harassment, including ‘raiding’, to become “the go-to place for English-speaking hackers to peddle their wares.” (here) The busiest marketplace within RaidForums was ‘Leaks Market’, a self-described place to buy, sell and trade hacked databases and leaks. A similar analysis of RaidForums’ growth was made by journalist Joseph Cox in a post to VICE. (here) Mr. Cox described RaidForums as a “bottom-of-the-barrel” hacking forum where users traded in data that was “sourced from long ago and publicly reported”. The members were “lower skilled hackers” using lists of usernames and passwords dumped on the site. But RaidForums eventually developed into a repository for “previously undisclosed hacks” that included data belonging to oil giant Saudi Aramco. Associates of the LAPSUS$ hacking group which breached Nvidia, Samsung and Okta also used the site. Mr. Cox said the news of the takedown capped off weeks of speculation that the site had been taken over by law enforcement when RaidForums went offline earlier in the year.

3. The Indictment

On March 15, 2022, a grand jury in the United States District Court, Eastern District of Virginia, Alexandria Division, returned the Second Superseding Indictment in Unites States v. Diogo Santos Coelho asserting that Mr. Coelho profited from the commerce on the platform by charging escalating prices for membership tiers that offered greater access and features. (here) Using the monikers “Omnipotent” and “Downloading” he operated the website with the help of other administrators from January 1, 2015, to January 31, 2022. Here are four takeaways from the key allegations:

• An individual could access the RaidForums website without a membership. However, the website required an individual to sign up for a membership to solicit items for sale or purchase items. The RaidForums website offered four tiers of membership options, including in order of cost: (1) free membership; (2) VIP membership; (3) MVP membership; and (4) God membership. The more expensive the membership, the more access a user could get to the RaidForums website and features.
• The RaidForums website sold “credits” to members, which granted members access to privileged areas of the website and enabled members to “unlock” and download stolen access devices, means of identification, and data from compromised databases, among other items. Members could also earn credits through other means including, but not limited to, by posting instructions on how to commit certain illegal acts.
• The RaidForums website had different forums where members could post about different subjects and offer items for sale. The forums included “Cracking,” “Leaks,” and “Marketplace,” among others. The “Leaks” forum had a sub-forum entitled the “Leaks Market.” The “Leaks Market” description stated that it was “[a] place to buy/sell/trade databases and leaks.” The “Leaks Market” included for-sale listings for bank routing and account numbers, and stolen payment card data, such as payment card account numbers, card verification values (“CVV”) or card verification codes (“CVC”), card expiration dates, or personal identification numbers. The “Leaks Market” sub-forum also displayed posts listing offers to sell the personal identifying information of individuals, such as names, email addresses, and social security numbers, and hacked databases of login credentials, such as user names and associated passwords, for access to online accounts issued by United States entities.
• COELHO offered an “Official Middleman Service” for a fee on the RaidForums website. More specifically, COELHO offered to accept cryptocurrency from the purchaser and files, including stolen access devices and means of identification, from the seller. Once the parties were satisfied, COELHO released the funds to the seller and the files, including stolen access devices and means of identification, to the purchaser. (at paras. 5-8)

In a concurrent press release, the Department of Justice said members of RaidForums used the platform for the sale of hundreds of databases of stolen data “containing more than 10 billion unique records for individuals residing in the United States and internationally.” (here) And in a post to Ars Technica, senior IT reporter Jon Brodkin reminded readers that in 2019 a database with personal information for 1.4 million accounts was posted on RaidForums following the hack of cryptocurrency wallet service GateHub. (here) With over 530,000 members and its low requirements for entry, RaidForums “made it extremely easy for new and established threat actors to be active in the data breach and leak community”, according to the threat intelligence firm Recorded Future. (here)

4. Evidence Sources

The Cuellar affidavit summarizes an overview of the primary sources of evidence gathered by the FBI and the United States Secret Service. The investigators memorialized screenshots of conversations through the messaging services Discord and Telegram in which Mr. Coelho allegedly facilitated transactions with other members of RaidForums. The FBI obtained a copy of the back-end database for RaidForums that contained “a substantial amount of information that is not generally accessible to the public or other RaidForums members” including account registration information, user Internet Protocol addresses, login information, and private messages of members and administrators of RaidForums including Mr. Coelho’s monikers “Omnipotent” and “Downloading”. The investigators also obtained warrants to search Discord and Twitter accounts associated with RaidForums activity that allegedly revealed Mr. Coelho “providing middleman services” to other RaidForums members. (at paras. 12-14)

5. Who is Omnipotent?

On June 25, 2018, Mr. Coelho attempted to enter the United States at the Hartsfield-Jackson International Airport, in Atlanta, Georgia. He allegedly told a law enforcement official certain biographical information, that he worked in “coding”, and owned his own website. According to the Cuellar affidavit, a warrant was obtained to search the electronic devices he brought with him upon entry. The search confirmed the devices belonged to Mr. Coelho and that he used the moniker “Omnipotent” to operate and administer RaidForums. The smartphone received emails from the “mail system at host raidforums” as well as emails concerning a new RaidForums password and account activation. The phone also revealed a Discord account with the username “Omnipotent” and an account with Snapchat, a multimedia instant messaging application with the name “Diogo {Omnipotent}”. (at para. 39)

6. The T-Mobile Connection

The Cuellar affidavit describes the purchase of databases using Omnipotent’s middleman service that experts have connected with the T-Mobile breach that occurred last year. On August 11, 2021, an individual using the moniker “SubVirt” posted an offer to sell recently hacked data on the RaidForums website. The post provided a small sample of data which included names and dates of birth. The information was priced at six Bitcoin, equivalent to approximately $273,672 at the time. Several days later, “SubVirt” revised the post and provided a Telegram handle as contact information for interested buyers. A subsequent post confirmed that the hacked data “belonged to a major telecommunications company and wireless network operator that provides services in the United States”. After the post, the company hired a third party to purchase exclusive access to the database to prevent it from being sold. The entire database was bought for a Bitcoin amount then equivalent to approximately $150,000. The deal was for “SubVirt” to destroy their copy of the database but it appears the conspirators continued to attempt to sell the databases after the third party’s purchase. (at paras. 32-33) Although the Cuellar affidavit does not explicitly identify the telecommunications company, “SubVirt” told VICE at the time that the database consisted of information for T-Mobile customers and, days later, the company acknowledged the breach of 47 million records. (here)

7. Conclusion

On January 31, 2022, Mr. Coelho was arrested in England and he remains in custody while the extradition application by the United States proceeds through the British legal system. During an interview published by The Record on January 13, 2022, he said he was unconcerned about surveillance of RaidForums by law enforcement. “I just assume that the forum is being surveilled but then again in this day and age everyone is being surveilled,” he said. “It’s very likely that any website of this size would be surveilled by multiple federal and non-federal entities. In conclusion, I’m not bothered by it as I try my best to be a law-abiding citizen.” (here) The takedown of RaidForums is the second dismantling of a high profile online market this month. On April 5, 2022, German authorities said they had shut down Hydra Marketplace, considered to be the largest darknet market in the world, and seized more than $25 million in Bitcoin. The next day, the U.S. Justice Department unsealed an indictment charging Dmitry Olegovich Pavlov, a Russian national, with conspiracy to enable the site’s success by providing critical infrastructure that allowed Hydra “to operate and thrive in a competitive darknet market environment.” (here)